When it comes to supporting users, the ICT department has traditionally selected the optimal mobile business device for roll-out to employees but, a sea change has occurred.
These days, by the time the budget has been raised, the paperwork completed, and the equipment is being deployed, most users will already be bringing their latest smart phone to the office and connecting ad-hoc to the network. As a consumer product it has been superbly designed, it is already familiar to the user, and it has the convenience of being one device spanning both home and office.
Today employees use multiple devices, all connecting into the enterprise network among other various networks at restaurants, libraries and at home. Thus, the ICT manager begins to lose control over applications and devices on the corporate network, and the enterprise naturally gravitates towards a more open BYOD (Bring Your Own Device) scenario.
Enterprise networks were not originally designed to handle so many diverse devices, differing software platforms nor the sort and scale of ‘upstream’ traffic that is being generated by the YouTube and Facebook generation. So a BYOD strategy in the enterprise must address two major changes: the surge in wireless traffic (both up and downstream) and the shift from providing wired ports for a single device to that of a greater focus on the mobile user. It is less important now to know what device is being used than to know who is using it, what software platform they have and what access they should be permitted.
The first problem with many existing wireless LAN (WLAN)s is that they were added to the corporate network as an overlay, or afterthought, rather than being thoroughly integrated, with consistent security policy, into the traditional wired network. Typically, the wireless traffic from an access point was sent via some sort of VPN tunnel to the controller for processing and forwarding.
A better solution is provided by today’s more intelligent wireless access points that work in concert with the network to forward traffic directly to the network switch and controllers. Instead of a separate wireless overlay, with performance bottlenecks, you then have a unified data plane from both wired and wireless traffic – allowing seamless roaming and a wireless experience much closer to that enjoyed by a wired user.
Do you know who is on the network?
The second major issue concerns access and privileges. There are three main classes of user:
- Network managers and engineers who need privileged access into the deep structure of the network
- Employees who can log on for full access only to those network resources relevant to their department or work function
- Guest users who are allowed limited use of the network for Internet access.
It is important to know who is accessing the network in order to make sure that the correct privileges, and only those privileges, are allowed. A holistic network Access policy should be put in place to account for user identity, their role in the organization, their location, resources they require, and those areas they should not be permitted to access. In practical terms, this means distinguishing between students and teachers, doctors and nurses, etc.
Device identity takes second place, but is still important. Different devices make different demands on the network, some are wired and some are wireless, and some may be dedicated to a more critical applications.
To make sure nothing slips past, it is best to have identity management integrated into the network operating system integrated with the Ethernet switch. It is also better not to rely on any single identification mechanism in client software, but rather to include access tools that work on the network level, where all traffic is treated consistently, regardless of device:
- 802.1x identification, and even multiple supplicant implementations
- Kerberos Snooping for Microsoft Active directory users
- If neither of the above applies, the user can be quarantined and restricted to a captive portal to authenticate to the network
- Guests to be offered an open VLAN for Internet access, but ideally the access should still be controlled to allow only a selection of relevant services such as Google, e-mail or LinkedIn.
Here again the advantage of a unified data plane is that the identity management is deployed right at the edge of the network rather than being sent to the central controller. Ideally all the access points should support identity management features by default, and that all user identities can also be monitored centrally to see who is on the network where ever they are and whether wired or wireless.
Choice of hardware
Different situations require different physical configurations: integrated or external antennas, mounting on wall or ceiling and so on. Look for a comprehensive hardware range that includes all the features you need in all configurations.
The correct choice of wired switches is also important for supporting a unified data plane. The best wired edge switches are designed specifically for this purpose and support a single easy-to-use operating system including identity management, stacking and many other advanced edge features across the infrastructure from access point to the core without needing customization.
A good management solution will do much to simplify management and maintenance and so reduce the operating cost of the wireless network. As well as monitoring and surveying the network it should provide detailed diagnostic tools and deliver reports to assist the manager.
Keeping costs down
As more employees join the BYOD trend, the time and management costs may keep rising. A correctly designed network, however, with a unified wired/wireless data plane and purpose-built operating system, will not only scale seamlessly but also remains secure and manageable.
Here are the key points:
- A simple, intuitive command line interface (CLI) purpose-built for switches will simplify changes and upgrades
- A single operating system across all devices will simplify upgrades
- Policy-based control software will apply the same policy to every application point of the same type, saving a lot of repetitive work
- The controller should automatically extend software updates across all the access points without requiring manual work
- A comprehensive range of access hardware should allow you to choose the optimal access device for the optimal placement – saving installation costs and reducing waste
- Today’s more intelligent access devices and controllers employ Smart RF to automatically adjust power and channel settings for optimal performance, even allowing for outages and interference. This reduces the risk of cross channel interference and saves a lot of fiddly adjustment of individual access points.
In practice, the right choice of access points, controllers and software has been shown to reduce the total operating costs by 30 to 50%, let alone the advantage of having a unified system scalable to the heavy demands of the BYOD trend.
For the IT department, BYOD it can prove a headache. Without a strategy to ensure that the corporate network is up to the task, the gains in productivity and the savings in buying equipment for employees will be offset by an enormous increase in network complexity and management costs.
On the other hand, the right strategy and choices will not only support seamless integration of BYOD but also ensure high security and wireless performance at near wired levels, without further demands on the IT department’s time and resources.